The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure AD keys RRS feed

  • Question

  • this https://login.microsoftonline.com/common/discovery/keys is accessible for anyone from Internet. I know these are public keys but I am being asked to protect these keys. Is it possible? if so, please send documents

    Thanks

    Tuesday, November 19, 2019 6:04 PM

Answers

  • Hello CatClaw63,

    No these values are publicly available. This is part of the OIDC flow requirement, and the keys have to be public. 

    For more information on how this works please review : https://www.onelogin.com/blog/openid-connect-explained-in-plain-english

    From the doc above: 

    Well Known Endpoint

    You have probably noticed by now that the client needs to know quite a bit of information about the provider in order to properly do all the various OIDC handshakes and exchanges. Plus there’s the question of where it should go to grab the public keys used to sign or encrypt this information.

    To streamline this process, OIDC providers can support the ‘well known’ endpoint. Here, OIDC defines a set of values that can be retrieved by a client in order to self-configure. And while some of this information is unlikely to change, other pieces are expressly designed to be updated periodically.

    Ex. If you look at https://accounts.google.com/.well-known/openid-configuration you’ll find an entry for “jwks_uri”: “https://www.googleapis.com/oauth2/v3/certs

    This jwks_uri value is a URI a client can access to get information on all the JWK keys used by Google, in a format specified by part of the OIDC spec.

    And one of the values returned for each key is a key id (kid) which can be used to quickly determine if the crypto key has changed.

    Long story short, by checking this value, a client can determine if the provider has changed its public key since the last time it used it and automatically update itself to use this new information.

    Basically, this gives us automatic key rotation. Take that SAML!

    In addition to that the official Microsoft docs go over how this works as well : https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code

    Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Tuesday, November 19, 2019 7:22 PM
    Moderator